Posted
by
kdawson
on Thursday February 28, 2008 @04:01PM
from the tamper-proof-isn't dept.

An anonymous reader writes "Researchers from the University of Cambridge have discovered flaws in the card payment systems used by millions of customers worldwide. Ross Anderson, Saar Drimer, and Steven Murdoch demonstrated how a simple paper clip can be used to capture account numbers and PINs from so-called 'tamper-proof' equipment. In their paper (PDF), they warn how with a little technical skill and off-the-shelf electronics, fraudsters could empty customers' accounts. British television featured a demonstration of the attack on BBC Newsnight."

The reason the security is so poor is because the banks don't give a s**t. It's the _merchants_ that are liable for fraud, even though it's almost entirely the fault of the banks! They banks only have to make it just good enough that it's easier for the merchants to take credit cards than cash - even after the exorbitant ($0.25 + 2.5%) processing fees that they charge just to move the bits around.

The powers that be LOVE us using credit cards. They can track us, and they can dupe the feeble-minded among us into spending our way into a lifetime of indentured servitude.

The failure of our government to (re-)introduce a $1000 bill, in spite of massive inflation, is a deliberate scheme to make it impractical for us to use untraceable funds for any substantial purchase. And it has nothing to do with tracking terrorists or drug money, it's just to keep tabs on and control over the law abiding populous.

They don't have to give you change if they don't keep enough on hand for security reasons (there's almost always a sign to this affect) but if a $50 or a $100 is all you've got for a small purchase then I assure you, they'll take it if it's to pay for something you've already consumed.

I tried paying for my university tuition with cash (I have a cash based job) and the woman there said that I can only pay online with a credit card. After explaining that I am too young to have a credit card, and that I only had cash she relented. Even then, she said that they couldn't give me any change, so I had to go and get exact change. Its bullshit, not everybody can have a credit card, plus I like the anonymity that paying via cash provides.

Not everybody can have a checking account, especially if they are unfortunate or irresponsible. And which would you rather have, cash or an electronic transaction that can be reversed or check that can bounce?

Either way, as a merchant, I'm accepting the risk. With cash or EFT/ACH, it's harder for a customer to strongarm a merchant vs. the customer paying with a credit card and threatening a chargeback. And yes, customers threaten chargebacks over issues that aren't the merchant's fault/problem. The customer is not always right.

In the case of university tuition, whether he can get a debit card or not is irrelevant. Legal U.S. tender must be accepted by a creditor (the University) from the debtor (the student) to pay off a debt within the U.S. If the University required payment before it allowed the student to register for classes, then the University could require payment by credit card. However since the University extended credit to the student for the classes, it is required to accept legal tender as payment for those classes.

That's great to know, but it doesn't really help in a practical sense, legally I could pay $4000 in pennies (only 4000 because I'm in Canada), but I doubt they would accept that. I have a debit card, but use that to fund my eBay addiction via paypal, and I think that the government would be wondering why an "unemployed" university student is depositing a few thousand dollars a month into his bank account.

Devil's advocate...[...]can't pretty much everybody get a debit card tied back to a checking account?

If I'm right, those behave almost like credit cards - however, I'm not comfortable using one. In the event that there's fraud, the money is not in your account while it's being resolved. This isn't an issue with credit cards, since it's merely your credit being "on hold" rather than having money taken away from you. If you don't have a credit card, you generally don't have as much money to use (making fraud very damaging.)

I've worked in a customer service call center where people were calling up about u

True, that... but you can get a money order for only a nominal cost. In my experience with some banks, if the money order is for educational purposes (ie, to pay tuition) the money order fee is waived.

The data mining industry is so ingrained in our society that even if people started using $100 bills to pay for major purchases, the serial numbers on the bills would probably be scanned for tracking information. The only way you are going to get privacy in your monetary transactions is with a national privacy overhaul with penalties for data mining without permission. Since the government is one of the entities doing the data mining, this is probably not going to happen anytime soon.

This is a manufacturing design problem.These boxes can be made to make this attack nearly impossible.But it would cost another 5 bucks to manufacture it.

Hell, if the designed them so the case was steel, and as thin as an iPhone this problem goes away because:a) it would take serious effort even AFTER you knew what to do. Raises the risk.b) You couldn't attach something to it without it being noticed.

In Australia, merchant banks will only accept transactions encrypted to 3DES. This was a fairly recent change. Retailers (including the very large one I helped through the PIN pad changeover) spent rather a lot of money on the changeover, and had no complaints about the investment. Nobody watches the till quite like a grocer...

The problem is not missing encryption between the merchant and bank, the problem is with missing encryption between the merchant and the card reader/pin entering pad. The same readers/pads are still unencrypted, even though the merchant may be encrypting the data for the transaction to/from the bank.

It's like entering your credit card information on a website for a purchase. The connection to the server may be encrypted, but the data sent from your keyboard to your pc is not, and this is the same as where the hack with the card readers/pads is occurring.

Really? Over here our terminals require triple-DES encryption between the PIN-pad and the terminal and then the connection from the terminal to the payment processor is encrypted again. Anything else will not be certified for connection to the EFTPOS network.

I'm pretty sure the connection between the card reader and all external devices (POS stations, authorization network) is always encrypted. That's one of the basics for certification by Visa and the rest of the industry. The vulnerability demonstrated (based on my reading of TFA) occurs totally in the card reader/pad.

he failure of our government to (re-)introduce a $1000 bill, in spite of massive inflation, is a deliberate scheme to make it impractical for us to use untraceable funds for any substantial purchase. And it has nothing to do with tracking terrorists or drug money, it's just to keep tabs on and control over the law abiding populous.

It might also have something to do with the fact that most people aren't crazy enough to walk around with thousands of dollars on them. In the end, it wouldn't matter, because

Proprietary software AND hardware companies basically cannot be trusted. I've encountered countless amounts of commercial software, hardware products and services where the company states that they are very secure, but when investigating things myself, I find that its trivial to circumvent their security. You can read about some of the read about some of the poor security I've discovered recently with web hosting providers [suso.org]. Consumers deserve better than this and its all of our responsibilities to make all people aware of these problems. Ironically, this news program itself doesn't understand the value of open disclousure. I guess I can understand that as its human nature to want to hide things for fear of liability. But its not like they were doing something that's not so obvious that someone determined enough could figure out.

First rule of security in my book: Someone who wants something bad enough, they will be able to circumvent nearly anything in order to get it. So its a matter of how badly they want it. Since its money in question, I'd say that a variety of organizations and people want it pretty bad.

First rule of security in my book: Someone who wants something bad enough, they will be able to circumvent nearly anything in order to get it. So its a matter of how badly they want it. Since its money in question, I'd say that a variety of organizations and people want it pretty bad.

This reminds me of a quote (the source eludes me at the moment):

"If it can be engineered by one human, it can be reverse-engineered by another human."

I wonder if the next step is one time PIN entries that are tied to the card, similar to S/Key or OPIE passwords, but 4-6 numeric digits in length. The customer obtains the PIN series by scratching off codes on a card mailed from their bank or another secure channel.Another idea is to have the customer physically possess the unit that does the PIN entry as well as the smartcard. Perhaps instead of cards directly, have this be a module that is included in cellphones, and the customer's smartcard be a SIM ca

I've encountered countless amounts of commercial software, hardware products and services where the company states that they are very secure, but when investigating things myself, I find that its trivial to circumvent their security. Consumers deserve better than this and its all of our responsibilities to make all people aware of these problems.

Actually, one of my customer sites isn't using passwords specifically because they demanded that logging in be easy. Yeah, I had to write that code while simultaneously assuring my boss that it's "as secure as can be". I pretty much hated my life after having to design a legitimate login system and then having to hack in a back door so that these doofs could use barcodes to log in. Barcodes that anyone can photocopy.

If Clippy had been allowed to hang around in Windows he would at least been kept off the streets.

In related news, the alternate Clippy, the advice dog, lost his job as a neuticles model and was sold to a company that tests military grade blood-clotting bandages. He's shot in the abdomen three days a week so trainees can learn how to apply the dressings. And all because you didn't want a friendly little animated help-mate watching after you.

>> "As described in some detail in our paper, the basic attack tool is a paper clip. In order to record and analyze transactions a couple hundred pounds' worth of equipment is required, in addition to some digital design experience."

OK, a paper clip. PLUS A BUNCH OF OTHER STUFF.

Well, shoot, I could probably build an atomic weapon with a paper clip. PLUS A BUNCH OF OTHER STUFF.

That's true but it seems like, while it's trivial to break, it would also be trivial to fix.All they need to do is encrypt the account and PIN numbers on the card and then have them compared with the encrypted numbers on the bank's system and problem solved.

The way they've managed to break it is essentially to "tap" into the card readers and intercept the account and PIN numbers from the card. Then the fraudsters make fake cards with the information. It seems like ridiculously lousy authentication because a

Well, you have to admit that that in this case the paper clip is quite important.For those of you who haven't actually read the article (it is not unheard of!):They use it to peel through a hole in the back of a owner-accessible compartment for some rarely used extra modules to insert it into an open via in the pcb which just happens to carry a serial data line transmitting PIN and card details...You could even nicely mount your eavesdropper circuit in that compartment.

The huge security hole in the credit card system is the users. I flipped out at one of our vendors when they STORED my credit card number in their database, and just went ahead an charged it next time I was in the store.People will gladly give their credit card number over the phone to a shady pizza shop, just to get a 15 dollar pizza delivered to their door.We could build the most secure credit card system in the world, but the problem is that it has to be simple enough for idiots to use.

Which is not a problem if you use virtual account numbers (what Citibank calls it. I'm sure other banks have the same thing with different names) that are only authorized for one transaction for the amount you specify.

Vendors are the worse. I signup for a reoccuring bill cycle for an online game. They asked for the CVN(number on the back). They aren't allowed to store this number so why would they ask for it? I always wondered if I entered a fake CVN, would my credit card auth would fail at the end of the month.

What people are missing in this is that this pertains to certain card types mainly used in Europe. The type with RFID or embedded chips used for security. On standard US debit cards, there is no information sent to the card or from the card that ties to the PIN. The PIN is only seen by the pinpad component and immediately encrypted using a rotating DKPUT key algorithm before that, the card number and a sequence number are sent to be translated by a hardware security module. The pin pads themselves used by most US retailers are secure and do not pose a risk. If you tamper with most of those devices (example, the Welch Allyns used by best buy, lowe's and others) then the injected keys are erased and PIN translation fails. They normally don't remain out too long if they are tampered with since the stores will consider them broken and unusable when they don't work anymore. This is related to the system in place and used in the UK. The US system, while old, is only being updated currently to support the new double length key requirements and have not incorporated smart card support or RFID (except a few gas station chains). The most important thing in the US is to protect the card database since the data on the mag stripe can be used as a credit card. As for PIN security, don't tell others your pin, notice hidden cameras that look out of place and point at PIN pads and you should be safe. The way PIN numbers are stored at banks within a hardware security module is safe and those devices are very sensative to outside attack. They even employ motion sensors to prevent tampering in HSMs.

The PIN needs to be a moving target and much longer than 4 digits. Note that stateside that most automatic car washes are using at least 5 digit numbers to authenticate the sale as sold by the gas pump. (Example: SecurID or one-time pad.)

(offtopic)My biggest pet peeve is why are account numbers (on checks) in the clear while the same is basically true of PIN numbers (without any added "salt")

For checks I would like to see the account number + check number translated a 16 to 20 digit hash of which only the bank knows how to decipher to the correct account and check number?(/offtopic)

"of which only the bank knows"security through obscurity doesn't work. someones, somewhere will figure it out. Then you will think you are secure, less people will be looking out for potential fraud thus giving more room to the fraudsters.I have said it many times. Barring a radically new development, something that is a complete paradigm shift(literally not market speak) digital money will fail. You can NOT secure it for any real length of time.

Or better yet, encrypt the routing number/account number with a public key from the organization. Then only they can decrypt it with their private key. Or you could take it one step further and have the routing number BE the public key which encrypts your account number. Then only the issuing bank (and not the whole organization) can decrypt the information.

Something you have + something you know = secure enough for me to use in the wild. I want networked ATM,etc machines that accept smart cards. The card has a certificate or somesuch that can not be copied. The bank fires a challenge 'question' to the card. The card uses it's secret information to answer it. Then the transaction proceeds. As soon as you walk away with the card, the pin used to authorize things is useless. Something you have + something you know. I like the one time authorization scheme people

I'm not sure about the EU, but I know most of my credit cards support up to eight digits for a PIN. I take advantage of this whenever I can.As for the numbers printed on checks, apenzott has an excellent idea. It wouldn't be hard for banks to use a 128 or 256 bit encryption key stored in a secure location [1] and have each person's check printed with the encrypted bank account number, perhaps using the check number as the IV (so each check has a different value), although using the check number is a small

Given that a one way hash can't really be reversed, that idea doesn't make much sense in the way that you posted it. A one way hash at first makes sense, except in reality it doesn't, as currently deployed. The numbers on your check have a routing number and account number. Both are numeric values with relatively few permutations when contrasted against case sensitive alphanumeric hashing. The routing numbers of banks are also no secret. Put simply, it'd be a trivial matter to brute force the hash with the simple numeric values we use today.

OK, I'm using the wrong terminology.

Routing number keeps the same public self (we need to send the check to the correct bank for processing.)

Account number xxxxxxxx Check number yyyyy becomes zzzzzzzzzzzzzzzz.

Issuing bank has key to turn zzzzzzzzzzzzzzzz back into original component numbers and verify that z... was not some made-up number in attempt to create a "bad check" of which there is no real account number attached to. Also xxxxxxxx, once extracted is verified to the name printed on the check. Aft

Check numbers are incrimental and of limited permutation, again making the hash easy to brute force. If the hash changes with each check, it also becomes harder for retailers to identify bad checks based on account number. You're going to end up turning away legitimate customers money, and gain no security. By the time the check hits the bank, the fraud has been done. Also, "once extracted is verified to the name printed on the check"? Depending on your bank, this is already done. I signed a check with my r

Wow. The interview at the end of that piece has me floored. Imagine if industry people and politicians in the US were subjected to this sort of probing interview and actually responded. The interviewer had the representative from the credit card companies on the ropes the entire interview. Props to the BBC for doing some serious journalism.

KUDOS to the BBC for being a leader in all fronts of the Mass-Media. This video proves that they can do serious journalism, something that most media companies have forgotten how to do.Short, correct and difficult to answer questions. Ask the right questions, that's all it takes.

Indeed, I wish the media in this continent (we have the same problem with flaccid media in Canada too) would ask the tough questions like that. Alas most of the time the reporter doesn't even know what the story is about, and simply doesn't have the subject knowledge to ask such pointed questions. Then of course they would have to care enough to hold the subject accountable.Far too often I hear interviews were the subject gives some double-talk half twisted lie which makes no sense, and the interviewer si

Jeremy Paxman is famous for being a tough questioner. His most notorious interview [youtube.com] was with a slimy politician who later led the Tories to defeat against Tony Blair's Labour. I'm not sure what Paxman's personal politics are, but he certainly doesn't appreciate being messed around. Michael Howard can be sure that if one of his political opponents had weaseled around like that he would have had equally short shrift.

BBCAmerica is going to start broadcasting "Newsnight" from the 29th, though I don't know whether it's going to be the whole programme (for example, the reviews to the front pages of tomorrows newspapers won't always make sense). Paxo is heavily featured in the trails, along with the moments we remember him for.

You beat me to the punch. If our media wasn't so asleep and staying in the good graces of various groups for potential favors, rather than putting them in a position to defend themselves, maybe we'd get a little more truth in our news.

>>Imagine if industry people and politicians in the US were subjected to this sort of probing interview...
It's worth wathing NewsNight in the US when they cover US items (the BBC makes every program available on the web after broadcast). Sometimes Jeramy Paxman will get his teath into American politician or representative who is completly un prepared for this type of interview. It happened to someone high up in the US (can't remember who) administration in the lat Iraq conflict and he was really kno

It doesn't really matter what technology you use for monetary transactions, there are bad people who will work harder to steal it than to earn their own money. Just minimalise your risk and stop worrying about it.

How is cash safer?
If I use a brute-force attack and take your credit card, in theory you don't lose anything.
If I use a brute-force attack and take your big wad of bills, you'll never see them again.

They can only take what you have on you.No one has you arrested because they want to make you the criminal.It is very hard to hold someone up from overseasTo rob you people have to be exposed to the surroundings.

I want how much money was physically taken from people in that same time period?

Credit cards are so incredibly insecure that the only reason people use them is that the banks so far have been willing to cover the costs of fraud (in most cases and as long as the card holder hasn't contributed to it through negligence).

That's because the banks don't eat the cost of fraud, the merchants do. If I have an online store and someon uses a stolen card to buy something from me, I'm the one that gets screwed. The credit card companies reverse the charge, AND charge the merchant a fee for it happening. Then the merchant is out the money, a fee, AND the product they shipped to a thief. The lamest part is the credit card companies don't even provide you the tools to prove that a transaction is legitimate.

I've been wanting something much more sophisticated than a 'shared secret' that you have to give to anyone to give money. If I let random restaurant a charge me 2 bucks for a drink, I have to give them potentially full access to my accounts.

Where's my private/public cryptography? I want to carry around my own damned device with keypad and display. The display would show me *exactly* what my financial institution will think I'm authorizing, and the keypad would be used to enter the passphrase to decrypt my private key, which is never ever ever transferred outside of the devices local filesystem. It's generated by the device and the public portion uploaded in a secure manner to my financial institution. The secure manner is a complicated issue, but there are degrees of inconvenience that can be induced to do it right, and allow me to opt to allow nothing more convenient than that.

I go to a damn store or online retailer.. When ready to purchase, it somehow gets the data to my device (maybe encrypt with my public key, maybe direct connect to my device, maybe through the financial institution, whatever, the security risk in this transaction being the nature of what I'm buying, not in any way risking the actual money being transfered). I enter my passphrase (which could be as simplistic as a 4-digit pin, but at my discretion, not theirs) to signify accepting the terms my display gives me (i.e. authorized wal-mart to take 5 dollars from my account this one time, or authorize phone company to withdraw no more than 25 dollars on a monthly basis, the transaction may have tolerances and periodic, but always show me the tolerances and period and *who* I'm really authorizing to get the mony). With my private key decrypted, use it to sign the payload, then my financial institution *must* receive that cryptographically signed authorization to transfer payment. The retailer *never* has anything more than data to confirm that one transaction (or reuse for repeat data if I declare that trust, within definable thresholds). To commit 'identity theft' (horrible phrase), they would either need to compromise the financial institutions database with *write* access to replace my public key with their own (by the way, invalidating my real key so I should notice it) or steal my device physically, which I should know. The device should overwrite memory contents where the key was with random bytes every time it completes an authorization, and therefore physical theft or tampering should lead to a dead end without my passphrase.

You forgot the step where your computer has a key logger installed and someone overseas now has all your data.

Someone steals my device or gains unauthorized access and *then* returns it to me unnoticed is *far* more likely to be noticed than taking my card, scribbling the number on the front and back, and putting it back. Or for random POS equipment to be instrumented that I interact with. Or for some old-fashioned place with the carbon copies or some stands to be set up. At least the security risk lies in the implementation of the device, *not* fundamental to the system. Sure, *the* most secure proposition is currency, but other than direct physical interaction, currency is *not* feasible for the same reasons its good for face to face. Mail currency and anyone can intercept and use it, as it's not traceable and not targeted.

That's not even getting into your other major flaw, and your incorrect assumption.

It would be much easier to discuss those points if you at least mentioned what they were.

Actually, chip cards (EMV) do work in a manner similar to what you describe (public/private key encryption). The problem highlighted by the report is that it is possible to capture the PIN as it passes from the PIN pad before being transmitted. This part of the equation is unencrypted atleast in one model of terminals from one manufacturer. As far as I know, just about every other POS terminal as well as the keyboards on the ATMs only pass on encrypted PINs (except for older models!).

I'm having to trust the physical security of whatever device I'm interacting with, bringing my own keyboard and display gives me insurance on their mechanisms.

And so the chip cards have processing elements on card that have data input and output, and never make available their contents to any device they interact with? Or is there assumption that the ATM/POS equipment is all trustworthy and secure and will discard the data and never be possibly compromised by a malicious retailer?

Seriously though, identity theft is one of the big scary monsters that is used to scare the public on a daily basis. If an offering that experts agreed was highly resistant to identity theft, some consumers may jump at it after all the fear mongering.

How do I know someone hasn't disassembled the device, and put in some bug. Best case on the part of the device, extra pads under the buttons to register the presses, or a camera positioned just right.

That's why I say my device must have a private keypad/display, so I don't have to trust the POS equipment at all. Besides, doesn't cover credit card numbers, which remains the significant share of online purchases.

US Cards do not have the pin stored on the card. That's like keeping your password in your top desk drawer. This attack will not affect US Cardholders. Could you accomplish the same thing? Yes, but much more difficultly. And that's what security really is about, making a target so difficult thieves go elsewhere.

As the woman in the interview said, this isn't a probable method of widespread attack. It requires lengthy access to a chip and pin terminal to drill a hole in it and run a wire through. This wire would have to lead to a box or wireless transmitter. Takes a while to do, isn't easy to remove quickly and requires permanent evidence.On the otherhand, you can attach a skimmer to a reader to copy the magnetic strip and set up a camera to capture the pin in 5 minutes and remove it in 20 seconds. Far easier method

What is really needed is that the cards have an integral keypad - so that communication between the chip and the keypad cannot be intercepted, you entering your PIN would activate the card that could then talk over an encrypted link (eg SSL) directly to the bank's computer.

OK: this would make the cards somewhat bulky and since people tend to have several cards their pockets would bulge. So why not allow people to buy their own small keypads (which they trust to not have been tampered with) that they can plug their cards into and plug the whole lot into the retailer's machine.

Yeah, the summary is pretty misleading, since you need a paper clip, and field programmable gate array with RS232 interface or microcontroller. Yes, these are easy to obtain items, but the summary sounds like you can just use the paper clip. (And, I suppose feel the bits as electric shocks on your tongue or something.)

Banks seem to think a system is secure enough as long as
the number of cases where customers are exploited, are few
enough. This way the bank can repay the customers with little
arguing, and prevent these stories from reaching the media.
In Norway there is a story that has been running in the
media where a Professor at the University of Bergen and
a group of students have shown that the system used by
Norwegian banks to offer Banking services on the internet
have flaws that can be exploited. The banks take the same route
and try to claim that the system is secure and have their PR
people find technical terms like calling it a theoretical attack.
(Actually the attack is far from theoretical).
The interesting part is how the banks just keep trying to
convince the media and people in general instead of sitting
down with the researchers at the University and try to
find a solution.
After the first case in the media, the banks worked to fix the security
holes, but the researchers didn't even need a day to find a way
around the new protections.
Since this system is considered for a national authentication standard
the appropriate minister in the Norwegian government is involved,
and is siding with the professor and not the banks.